GRCWatch
Sign inStart free trial

CIS Control 8.7: Collect URL Request Audit Logs

URL request audit logging is your detection layer against users accidentally—or deliberately—accessing known malicious sites. CIS Control 8.7 requires collecting and analyzing these logs to identify compromise attempts before they damage your environment. For SMBs without dedicated security teams, automating this collection is the difference between spotting threats and missing them entirely.

What this means

This control requires your organization to collect and retain audit logs of all URL requests made by users and devices on your network. These logs must be analyzed to identify attempts to access known malicious domains, phishing sites, and other dangerous URLs. The goal is early detection and response—catching malicious access attempts before they result in data breaches, malware infections, or credential compromise. You need visibility into what websites your users are visiting and the ability to correlate that activity with threat intelligence feeds that track known malicious sites.

How to comply

  1. 1.Deploy web proxy or DNS filtering solutions that log all URL requests from your network
  2. 2.Integrate your logging infrastructure with threat intelligence feeds that identify known malicious domains
  3. 3.Configure automated alerts when users attempt to access flagged malicious URLs
  4. 4.Establish a log retention policy (minimum 90 days recommended) for audit trail compliance
  5. 5.Review and analyze URL logs on a weekly basis or set up SIEM rules for real-time detection
  6. 6.Document your URL logging procedures and maintain records of malicious site access attempts
  7. 7.Train users to report suspicious URLs and blocked site warnings

Evidence auditors look for

  • Web proxy logs showing URL requests with timestamps, source IPs, usernames, and destination domains
  • DNS query logs capturing domain resolution attempts blocked or allowed
  • Firewall or security appliance logs documenting blocked connections to known malicious sites
  • Alert records showing automated detection of access attempts to threat intelligence-flagged domains
  • Weekly or monthly URL log analysis reports with findings and remediation actions
  • Security policy documentation describing URL logging and monitoring procedures
  • Incident response reports showing how URL logs were used to investigate security events

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically centralizes URL audit logs from your network devices, correlates them with up-to-date threat intelligence feeds, and generates CIS 8.7 compliance reports—eliminating manual log review and ensuring you detect malicious site access attempts in real time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 8.1 — Establish Audit LoggingCIS 8.2 — Collect Client-Side Audit LogsCIS 8.5 — Collect Wireless Access Point Audit LogsCIS 8.11 — Collect All Detailed Activity LogsCIS 9.3 — Address Unauthorized Software